id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,branch,branch_author
5807,something in twisted.web should respect (x-)forwarded-for on the server side,Glyph,Evilham,"This should work vaguely the same way that `twisted.web.vhost.VHostMonsterResource` works.
- `Request.getHost()` should return the forwarded-for host rather than the `Host:`.
- `Request.isSecure` should return the security of the [http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-5.4 proto] parameter
Like `VHostMonster`, there should be some configuration required to get into this mode. One mechanism for doing that would be to have a `ForwardedForParserResource`; however, since the connecting address is quite important, it may also be reasonable to build this directly into `Site`. Trusting random forwarded-for headers off the internet would not be good, so it should be easy to specify what the address of the expected terminating proxy is.
Also, forwarded-for is a bit more expressive than the vhostmonster idiom in that it can describe multiple hops. This additional information should be exposed through an explicit API - perhaps a new `forwardedFor` method on Resource that returns an iterable of objects describing the hosts that it was forwarded through.
See #5806, https://tools.ietf.org/html/rfc7239",enhancement,new,normal,,web,,,Allister MacLeod github@…,branches/forwarded-for-5807,sirgolan